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FOREWORD 


Final documentation of the Safety in Earth Orbit Study is submitted by 
the Space Division of North American Rockwell Corporation to the National 
Aeronautics and Space Administration, Manned Spacecraft Center, Houston, 
Texas, in compliance with DRL Line Items 3 and 4 of NASA-MSC Contract 
NAS9-12004 . 

The 12-month study was performed for the NASA Manned Spacecraft Center 
by the Space Applications Programs organization at the Space Division of 
North American Rockwell. Mr. P. E. Westerfield of the Safety Office was the 
NASA technical manager. 

Documentation of the study results is as shown in the following table. 
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1.0 INTRODUCTION 


This volts&e of the final report contains a listing of the safety require- 
ments and guidelines for the space shuttle payloads generated during the study. 
Part I refers to sortie modules; Part II to upper stage vehicles; and Part III 
to the space station. Similar requirements and guidelines for the shuttle 
orbiter are contained in Volume IV. These volumes are intended for use in per- 
formance specifications in Phases C and D of these programs. 

The requirements and guidelines presented here are specific to the haz- 
ards and emergencies analyzed in the study tasks, and must not be interpreted 
as a complete list of safety requirements and guidelines for the various pro- 
grams. It is hoped, however, that these volumes can be amplified as further 
safety studies are performed, so that eventually they will represent a complete 
system safety specification, covering the safety aspects of all mission phases 
of each vehicle. 

The requirements and guidelines are listed in two sections. Section 3.0 
contains the requirements and guidelines which must be implemented on the 
shuttle payloads. Section 4.0 contains the interface safety requirements and 
guidelines with the shuttle orbiter; i.e., the requirements and guidelines 
which must be imposed on the orbiter in order to ensure its safety. The sortie 
inclusion of a requirement or guideline for a particular vehicle, say a sortie 
module, must not be taken as a decision that the requirement or guideline must 
be implemented by that particular program (the sortie module in this case), or 
charged to that program. It indicates that the provisions will physically be 
implemented on that vehicle. 

The source of these requirements and guidelines is Appendix D of Volume 
II of this report, which contains the hazard/emergency analyses performed 
during the study. The wording of each requirement or guideline recommended 
in that volume is used verbatim in this volume. A minor exception occurs in 
a few cases when two or three practically identical statements in the hazard/ 
emergency analyses (e.g., one dealing with flammable, toxic and corrosive 
fluids) are combined into one statement (dealing with flammable, toxic or cor- 
rosive fluids) . Traceability to the hazard/emergency analysis of Volume II is 
provided for each requirement and guideline through two letters and a number 
or number /letter combination (e.g., RP-1.2.004 or GD-l.b) shown in parentheses 
after each requirement and guideline. This numbering system, as well as the 
definitions and format used, are described in the following sections. These 
are consistent with the definitions and methodology used in performing the 
hazard/emergency analyses . 

Sections 5.0 discussed the rationale for the requirements and guidelines 
in this volume. A second parenthesis after certain requirements end guidelines 
indicates a cross reference to the rationale in Section 5.0. 
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1.1 REQUIREMENTS AND GUIDELINES 

The first letter in the parentheses after each requirement and guideline 
indicates whether it is a requirement (R) or a guideline (G) 

The difference between a requirement and a guideline is as follows: 

o A requirement (R) is regarded as a "must implement" item from 
the safety point of view. It eliminates an appreciable element 
of risk from the total spectrum of risks associated with the 
particular hazard or emergency. If recommended, a requirement 
is therefore not considered as an item to be rejected for cost, 
weight or similar reasons, since it significantly impacts safety. 

o A guideline (G) is regarded as a "strongly recommended" item 
from the safety point of view. It does not eliminate any appre- 
ciable element of risk, although it may reduce the occurrence 
or the resulting effects of the hazard. The increase in safety 
from a guideline in certain circumstances may not be commensur- 
ate with the penalties of implementing it, and therefore it may 
be traded off against cost, weight, etc. There is, in all cases, 
a safety penalty (in the form of exposure to some additional 
risk) whenever a guideline is not implemented, and this must be 
recognized whenever such a decision is taken. 

The requirements and guidelines which were generated were carefully 
worded so as to satisfy three criteria that were considered very important. 
These criteria are that the requirements and guidelines should: 

(a) Be verifiable — i.e., it should be possible to unambiguously 
verify whether each requirement or guideline has been met 
in the design or in the planned operations. Ambiguous or 
non -verifiable words such as "to the maximum extent possible" 
or "adequate" have therefore been avoided. 

(b) Meet the mathematician's "necessary but sufficient" criterion — 
i.e., they should specify every condition that must be met to 
satisfy the safety objective, but they should not specify more 
than is required for safety. The latter point is particularly 
important since the tendency is to select particular design or 
operational solutions which restrict the designer's choice 
rather than stating only the requirement in general terms. 

(c) Be written in precise and unambiguous language, suitable for 
incorporation into preliminary requirements specifications 
for Phases B or C. 

1.2 REMEDIAL OR PREVENTIVE 

The second letter in the parentheses after each requirement or guideline 
indicates whether this particular requirement or guideline contributes toward 
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preventing (P) the hazard/emergency, or toward remedying (R) the situation 
after the hazard or emergency has occurred. Thii does not refer to whether 
or not the requirement or guideline prevents injury or damage following the 
occurrence of the hazard or emergency. 

1.3 HAZARD /EMERGENCY ANALYSIS 

The particular hazard/ emergency analysis or analyses which originated 
each particular requirement or guideline, is identified by the number or 
number/ let ter combination in the parentheses following each requirement or 
guideline. The reference is to Volume II of this report, Hazavd/Emergency 
Analyses. The hazard/emergency analyses are listed in numerical order in 
that volume. A letter, such as in l.B, indicates that the requirement or 
guideline appears in more than one hazard/ emergency analysis; such require- 
ments and guidelines are listed alphabetically by the identifying letter in 
Volume II at the beginning of each section. 

1.4 HAZARD REDUCTION PRECEDENCE SEQUENCE 

The requirements and guidelines were developed in the hazard/emergency 
analyses by using the hazard reduction sequence of OMSF Safety Project Direc- 
tive SPD-1A. The sequence is explained in Volume II, Hazard/Eraergency Analy- 
ses, in which it is used. The resulting requirements and guidelines fall 
into four categories as a result of this, and they are grouped together in 
this volume into four sections, as follows: 

3.1 Design Requirements and Guidelines 

3.2 Safety Devices 

3.3 Warning Devices 

3.4 Operational Procedures 

The four sections correspond to the first four steps (Numbers 1-4) on the 
hazard reduction precedence sequence (see Volume II). Each of the above four 
sections therefore contains all the requirements and guidelines which satisfy 
each of the four hazard reduction precedence sequence steps, as identified 
against each requirement and guideline in the hazard/ emergency analyses in 
Volume II. 

The interface requirements and guidelines in Section 4.0 of this volume 
have not been separated into this sequence, because of their relatively small 
numbers . 

1.5 RESIDUAL HAZARDS 

The last step of the hazard reduction precedence sequence (Nunber 5) calls 
for the identification of a particular hazard as a residual hazard. This 
occurs when injury or loss of personnel or damage to or loss of equipment is 
still possible from this hazard or emergency even when the recommended require- 
ments and guidelines have been implemented. 


Space Division 

North American Rockwell 


Residual hazards were identified in the hazard /emergency analyses in 
Volume II* These are listed in Sections 3.5 of this volume as applicable to 
the shuttle payloads. The number in parentheses identified the hazard/emer- 
gency analysis in Volume II. 

Some residual hazards are designated as acceptable risks. These are 
hazards or emergencies in which the risk, after implementing the recommended 
requirements and guidelines, is small enough that no further action is con- 
sidered necessary. 

Other residual hazards are labeled with the term SRT Requirements. This 
means that Supporting Research and Technology (SRT) requirements have been 
identified to aid in resolving these hazards. These SRT requirements are de- 
scribed in Volume II. 

The remaining residual hazards are designated as unresolved safety issues. 
These are hazards or emergencies for which the residual risk (after imple- 
menting the recommended requirements and guidelines) is not acceptable, and for 
which no adequate means for resolving the issue (such as defining supporting 
research and technology requirements) has been identified. 

It is suggested that procedures should be set up in the course of a program 
for the periodic review of residual hazards. Different levels of management 
should be Involved, with the lowest level reviewing the acceptable risks, and 
the unresolved safety issues being exposed to the highest management level. 
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2.0 BASELINE MODEL 


The baseline model considered in the analyses included the vehicles shown 
in Figure 1. 



SHUTTLE ORB I TER 

••INTEGRAL TANK 
••DROP TANK 


SHUTTLE PAYLOADS 

••SORTIE MODULES 

••SATELLITES 

••UPPER STAGE VEHICLES 


SPACE STATION 

••INITIAL (6*MAN) 
••GROWTH (12-MAN) 


Figure 1. Vehicles Considered 


Initial analysis was based on the integral tank shuttle orbiter, but 
emphasis was later switched to the drop tank orbiter as this concept developed. 
The assumptions made were broad enough that no results were invalidated by 
this change. 


Shuttle payloads considered included manned and unmanned sortie payloads 
(i.e., attached to the orbiter), satellites delivered to earth orbit, and 
potential upr^r stage vehicles used to deliver unmanned payloads to orbits 
beyond the orb iter's capabilities. 

Upper stage vehicles specifically considered included the following: 

. Agena 
. Centaur 
. Trans t age 
. Burner II 

. Apollo Service Module 
. Orbit-to-Orbit Shuttle (00S)/Tug 
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These were considere i as typical of potential upper stage vehicles in 
order to identify potentia hazards. They were only considered as they oper- 
ated in or near the orbiter while in earth orbit. 

A typical shuttle session, generated from NR Phase B shuttle data, is 
shown in Figure 2. The boxed area shows the mission phases considered in 
the study. Only potential hazards occurring in these on-orbit phases have 
been considered. Sortie modules, satellites and uoner stage vehicles were 
considered and hazards identified only while these vehicles were transported 
in orbit, deployed and retrieved by the orbiter, or operated in the vicinity 
of the orbiter. 


SAFETY IN EARTH ORBIT 




w , , 

V/ '4 ON ORBIT 


RENDEZVOUS 
270 N mi x S5 DEG INCl 
AV £1000 fPS 


ON ORBIT 


l 



DE-ORBIT 

UPDATE NAVIGATION/ 
500 FP$ MAX 
RETROGRADE BURN 



Figure 2. Typical Shuttle Mission 

The space stations considered were modular stations delivered to earth 
orbit and assembled by the orbiter. Initial 6-man versions and growth versions 
with up to 12 men, as defined in recent Phase B studies, were studied. Assembly 
of the space station, independent operation in earth orbit, and normal resupply 
by the orbiter were considered. 
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1-3.0 SAFETY REQUIREMENTS AND GUIDELINES 


This section contains safety requirements and guidelines developed 
from analyses of specific safety issues. The requirements and guidelines 
are grouped into five sub-sections, corresponding to the five steps of 
the hazard reduction precedence sequence. These five sub-sections are: 



1-3.1 Design Requirements and Guidelines 

1-3.2 Safety Devices 

1-3.3 Warning Devices 

1-3.4 Operational Procedures 

1-3.5 Residual Hazards 
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1-3.1 DESIGN REQUIREMENTS AND GUIDELINES 
Hazardous Payloads 

1-3. 1.1 Toxic flammable corrosive fluid containers shall be located in 
unpressurized volumes of pressurized payloads, or shall be 
double contained with the capability of dumping the fluid to 
space or off-loading to another double container, and of venting 
the space between the two containers to space. (RP-l.Y, 1.2,001) (1-5.1) 

1-3. 1.2 Capability shall be provided to purge or dump to space a 

toxically contaminated or corrosive atmosphere in a pressur- ied 
orbi ter payload. (RR-l.d, 1.2.001) 

1-3.1. 3 Capability to release, eject, or extend the payload shall be 

provided so as to prevent damage to the orbiter at the expense 
of the pavload. (RR-l.h, 1.2.002) 

1-3. 1.4 Capability shall be provided for the orbiter crew to vent and 
dump pressurized, flammable or hazardous payload fluids to 
space within the time constraints imposed by an abort situation. 

This capability shall be available with the cargo bay doors 
open or closed. (RR-l.i , 1.2.002) 

1-3. 1.5 Capability shall be provided to switch off all electrical loads 
to payload from the orbiter. (RP-l.j , 1.2.002) 

1-3. 1.6 Fire and heat resistant protection of orbiter to payload command 

and instrumentation interfaces shall be provided. (RP-l.m, 1.2.002) (1-5.2) 

1-3. 1.7 Ignition sources in the orbiter bay, such as switches and 

relays, shall be sealed or otherwise contained so as to prevent 
ignition of flammable fluids. (RP-l.n, 1.2.002) 

1-3. 1.8 Capability shall be provided to automatically shut off forced 
air circulation in a pressurized orbiter payload upon detection 
of a fire. (RR-1.2.003) (1-5.3) 

1-3. 1.9 Materials used in pressurized payloads shall be subject to the 

same flammability control procedures as those used within the 
orbiter pressurized volumes. (RR-1.2.003) 

1-3.1.10 Access for visual inspection by intravehicular activity or 

remotely by instrumentation shall be provided to all primary 
structure of pressurized payloads while in the orbiter cargo 
bay. (GR-1. 2.004) 

1-3.1.11 The factors of saf* ty of pressure vessels while in or near the 
orbiter shall be at least ®qua.l to the orbiter tank factors 
of safety. (GP-1. 2.005) 
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1-3.1.12 


1-3.1.13 


1-3.1.14 


1-3.1.15 


1-3.1.16 


1-3.1.17 


1-3.1.18 


1-3.1.19 


1-3.1.20 


1-3.1.21 


1-3.1.22 


1-3.1.23 


Gaseous content of pressurized tanks shall be small enough so 
that rapid isen tropic expansion into the orbiter cargo bay 
will not result in overpressure. (RR-1. 2.005) 

Tanks shall be designed so that failure due to overpressure 
will not produce shrapnel. (GR-l.C , 1.1.001) (1-5.4) 

Pressurized tanks shall be located or protected by shrapnel 
proof harriers so that explosion of one will not propagate to 
others. (RR-1. 2.005) 

Pressuri; d tanks shall be located or provided with shrapnel 
proof ban iers so that orbiter crew and passenger compartments 
and equipment required for orbiter return to earth will be 
protected ^.n the event of a tank explosion. (RR-1. 2, 005) 

Plumbing connections for hazardous fluid transfer in pressurized 
areas shall be double contained with the capability of venting 
the spacr between the two containers to space. (RR-1. 3.002) 

Cargo beyond the limits allowed for hand transfer shall be 
transferred on guide rails or other mechanisms which positively 
constrain the angular and linear motion of the cargo except 
in the direction of motion. (RP-1. 3.002)(I-5.5) 

Cargo handling nechanisms shall allow for stoppage of the motion, 
reversal o': the motion, or release of the cargo at any point 
along the transfer path. (RP-l.dd # 1.3.002) 

Cargo handling mechanisms shall be designed to withstand the 
propulsive forces that would result from a leaking or ruptured 
fluid cargo. (RR-l.hh , 1.3.002) 

Separate lines shall be used for the transfer of fuel and 
oxidizer. (RR-i.3.003) 

Automatic and/or crew controlled emergency means shall be 
provided for shutting off power and arresting the motion of 
cargo transfer mechanisms. (RR-1. 3. 004) 

Cargo shall be packaged during transfer so as to have no exposed 
sharp edges or corners. (RR-1. 3.004) 

Crew controlled cargo transfer velocity shall be limited so 
that the cargo can at all times be stopped within the visible 
range. (RP-l, 3.004) 
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1-3.1.25 


1-3.1.26 


1-3.1.27 


1-3.1.28 


1-3.1.29 


1-3.1.30 


1-3.1.31 


1-3.1.32 


1-3.1.33 



Space Division 

North American Rockwell 


Capability shall be provided to rapidly evacuate personnel from 
and seal off radioactively contaminated modules until they can 
be returned to earth. (RR-1.3.005) 

Means shall be available for decontaminating equipment and 
personnel exposed to radioactive material and for storing 
and returning to earth radioactively contaminated clothing 
and other material. (RR-1.3.005) 


On-Board Survivability 

Normally habitable compartments of more than 25 m^ (880 ft^) 
in volume shall have two or more exits into areas which provide 
for personnel survival. These exits shall be at least 3 m 
(10 ft) apart. (RR-3.C, 3.1.001) 

Flammable, explosive or gas generating material shall be located 
so that the energy content which can be propagated at any one 
location shall not result in overpressurization of the compart- 
ment from heat and gas production. (RR-3.D » 3.1.001) 

Flammable, explosive or gas generating material within 3 m (10 ft) 
of the entrance to compartments with only one entry /egress path 
shall be limited so that the energy content, if released, will 
not result in damage or an environment which prevents shirtsleeve 
access through the entrance. (RR-3.E , 3.1.001) 

Emergency capability shall be provided on manned sortie modules 
for the return to earth of all the passengers in the sortie 
module, without life support from the orbiter. (GR-3.K * 3.1.002) 

Ttoo or more entrances into normally habitable compartments of more 
than 25 m^ (880 ft^) in volume shall be shirtsleeve accessible 
from each of the other normally inhabited compartments. These 
entrances shall be at least 3 m (10 ft) apart. (RR-3. 1.002) 


Where only one shirtsleeve ingress /egress path is provided into 
a compartment or module, redundant means shall be available for 
opening the connecting hatch(es) from either side. (PR-3.1.005) 

Manned sortie modules and space station modules shall be designed 
so that they can be undocked, retrieved into the orbiter cargo 
bay and returned to earth unpressurized. (GR-3. 1.007) 

Capability shall be provided to depressurize docked modules 
before undocking. (RR-3. 1.007) 
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1-3.2 
1-3. 2.1 


1-3. 2. 2 


1-3.2. 3 


1-3. 2. 4 


1-3.2. 5 


1-3.2. 6 


1-3.2. 7 


1 - 3 . 2. 8 


1-3. 2. 9 


1-3.2.10 


SAFETY DEVICES 


Hazardous Payloads 

Emergency capability shall be provided to sustain personnel when 
in a manned payload, following detection of a toxic environment in 
the payload, until escape into the orbiter can be effected. 

(RR-l.b, 1»2.001) 

Special protective garments and equipment shall be provided for 
personnel working in a toxic environment or near potentially toxic 
payload elements. (RP-l.c, 1.2.001) 

Manually and ®motely controlled means shall be provided in 
pressurized orbiter payloads for controlling and extinguishing 
fires. (RR-1.2.003) 

Emergency life support shall be provide} for all personnel in 
manned orbiter payloads sufficient to allow them time to control 
a fire and/or escape to the orbiter. (RR-1.2.003) 

Capability shall be provided to relieve atmospheric pressure from 
an orbiter payload so as to prevent pressurization beyond the pay- 
load structural limits. This capability shall be automatic when 
the payload is not manned, and under control of the occupants when 
manned. The maximum dump rate shall not exceed the venting capa- 
bility of the orbiter cargo bay with the cargo bay doors closed. 
(RR-1.2.003) 

Means shall be provided for the local application of radiant or 
other type of heat remotely or by personnel in IVA or EVA activity 
to evaporate accumulations of frozen fluids from critical areas. (1.2,004) 
(1-5.6) 

Relief capability shall be provided for pressurized tanks which 
automatically limit maximum pressure. Venting shall be to space or 
to a tank at lower - t assure, and shall be arranged so that mutually 
reactive fluids cannot mix and result in a fire or explosion. 

(RP-1. 2.005) 

Hazardous fluids or materials shall be double contained during 
handling and transfer in pressurized areas. Capability shall be 
provided to verify the integrity of both containers before and 
after transfer. (RP-l.o, J.3.001) (1-5.7) 

Capability shall be provided to vent the space between double 

containers for hazardous fluid handling to space and for dumping 

the fluid to space or off-loadir.g to another container. (RP-l.p, 1.3.001) 

Emergency capability shall be provided to sustain personnel when in 
a manned payload, following detection of a toxic environment in the 
payload, until escape into the orbiter can be effected. (RR-l.b, 1.2.001) 
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1-3.2.11 

1-3.2.12 

1-3.2.13 

1-3.2.14 
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Special protective garments and equipment shall be provided for 
personnel working in a toxic environment or near potentially 
toxic payload elements. (RR-l.c , 1.2.001) 

Packaging of hand-carried cargo shall be provided with multiple 
hand holds, shall allow forward visibility by the controlling 
personnel, and shall be capable of surviving impact against a 
sharp object at 3 m/sec (10 ft/sec). (RP-l.aa» 1.3.001) (1-5.8) 

Provisions shall be made for rapidly securing hand-carried cargo 
to various structural points along the transfer path so as to 
prevent loss of control of the cargo in the* event of an emergency. 
(RP-l.bb, 1.3.001) 

Corrosive fluids or materials shall be double contained during 
handling and transfer in unpressurized areas. Capability shall 
be provided to verify the integrity of both containers before 
and after transfer. (RP-1. 3.003) 

Cargo of more than 45 kg (100 lb) mass, or hazardous cargo shall 
be tethered at all times during handling and transfer in pressur- 
ized areas either to the spacecraft structure or to the transfer 
mechanism so as to limit the possible travel of the cargo following 
a failure of the primary cargo attach mechanism. (RR-1. 3.004) (1-5.9) 

Spare shielded containers shall be available in which radioactive 
materials can be temporarily stored in the event of an accident. 
(RR-1.3. J05)(I-5.14) 

Means shall be provided for locating radioactive material which 
has been inadvertently released in a module. (RR-1. 3.005) (1-5.14) 


On-Board Survivability 

Capability shall be provided to reduce the pressure in each com- 
partment sufficiently, or increase it in the adjoining compart- 
ment (s) and to cut off air circulation, so that in an emergency 
the atmosphere in the affected compartment will not be propagated 
into adjoining compartments. This capability shall be controlled 
remotely from each compartment. (RR-3.A , 3.1.001) 

Automatic venting capability shall be provided in each comparment 
so that in the event of a fire or release of gases within the 
compartment the pressure will not exceed the structural limits 
of the structure or the capability of seals to other compartments 
to exclude the contaminated atmosphere. (RR-3 .B, 3.1.001) 
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1-3.2.20 Pressure suits and attendant life support shall be provided for 
all orbiter/sortie module passengers on missions where the con- 
figuration does not provide two separate pressurizable compartments 
capable of returning all passengers to earth. (RR-3. 1.004) 
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>3.3 WARNING DEVICES 


1-3. 3.1 


1-3. 3. 2 


1-3. 3. 3 


1-3. 3. 4 


Hazardous Payloads 


Double contained toxic flammable or corrosive fluid containers 
shall be provided with means to detect leakage of the toxic flam- 
mable or corrosive fluid Into the space between the containers, 
and with means to detect penetration of the outside container. 
(R?-lz, 1.3.001) 

Means shall be provided for detecting a toxic flammable or oxygen 
enriched environment In pressurized orblter payloads containing 
toxic, potentially toxic, flammable or oxygen enriched fluids. 
(RP-l.a, 1.2.001) (1-5.10) 

Capability shall be provided to detect potential tank failures by 
measurement of fluid pressures, temperatures, tank strains, or 
other means. (RP-l.P, 1.1.001) 

Means shall be provided for detecting the presence of spilled 
hazardous fluids or materials while being handled or transferred 
between pressurized modules. (GR-l.t, 1.3.002) 
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1-3.4 
1-3. 4.1 


1-3.4. 2 
1-3. 4. 3 


1-3. 4. 4 


1-3.4. 5 


1-3. 4. 6 


1-3. 4. 7 


1-3. 4. 8 


1-3. 4. 9 


1-3.4.10 


1-3.4.11 


OPERATIONAL PROCEDURES 
Hazardous Payloads 

Procedures shall be available for handling and transferring 
hazardous fluids or materials in a pressurized area from a singly 
penetrated double container to a storage container without releas- 
ing fluid or material to the spacecraft atmosphere. (RP-1. 3.001) 

Manual handling and transfer of hazardous fluids or materials shall 
be carried out by two or more personnel who shall have no other 
duties during this operation, (RP-l.u» 1.3.001) (1-5.11) 

During handling and transfer of hazardous fluids or materials, 
no other manned operations shall be planned along the transfer 
path. (RP-l.v , 1.3.001) (1-5.11) 

Mutually reactive fluids shall not be handled or transferred 
simultaneously. (RR-l.w, 1.3.001) (1-5.12) 

The pressures, temperatures, or other parameters which indicate 
the status of hazardous fluids or materials shall be verified 
before they are transported. (RP-l.x, 1.3.001) 

Emergency procedures shall be available for handling, containing, 
and disposing of spilled hazardous fluids or materials so as to 
safeguard the personnel, orbiter and payload, in that order. 

(RR-i. 3.001) 

Transfer lines for hazardous fluids shall be located outside of 
pressurized vessels or shall be double walled with the capability 
of venting the space between the two containers to space. 

(RR-1. 3.002) 

Transfer lines in pressurized areas, including double walled 
lines, shall be purged after the transfer of hazardous fluids 
and before breaking plumbing connections, (RP-1. 3.002) 

Emergency procedures shall be available for the release, handling 
and transportation of remotely controlled cargo in the event c r : 
failure of the handling mechanism, or of damage to th^ packaging 
of the cargo. (GP-l.gg, 1,3.002) 

Transfer lines in unpressurized areas shall be purged after the 
transfer of hazardous fluids. (RP-1. 3.003) 

Emergency procedures shall be available for releasing cargo which 
has become jammed in hitches or other restricted areas without 
causing damage to the spacecraft structure or equipment. (RR-1. 3. 004) 
(1-5.13) 



1-3.4.12 

1-3.4.13 

1-3.4.14 

1-3.4.15 


1-3.4.16 

1-3.4.17 
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Hand carried cargo shall be limited to 45 kg (100 lb) macs, pro- 
vided the center of mass is within 35 cms (14 ins.) ot the hand- 
hold. Cargo which exceedr these limits shall be transported with 
mechanical assist. (RP-l.y , 1.3.001) (1-5.9) 

Cargo in which a rupture or leakage through the containers would 
result in uncontrolled motion of the cargo because of propulsive 
forces beyond a r ingle man's capability to control or because 
toxicity requires immediate abandonment and evacuatior. of the 
area shall not be hand-carried. (GR-l.z, 1.3.001) 

The transfer of cargo with mechanical assist shall eitH***- be 
visually monitored by personnel who are free of other duties, 
or shall be provided with sensing devices which automatically 
s top the motion if the cargo interfaces with structure or equip- 
ment. (RP-l.ee , 1.3.002) 

Personnel shall not be located during cargo transfer in positions 
which can result In their entrapment if the cargo transfer mechan 
ism fails. (RR-l.ff » 1*3.002) 


On Board Survivability 

The orbiter crew shall not enter manned sortie modules during 
the conduct of hazardous experiments. (RR-3. 1.002) 

Personnel shall not be allowed in a sortie or space station 
module during repositioning of the module from one docking 
port to another. (RR-3. 1.006) 
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Acceptable 

Risk 


Unresolved 

Safety 

Issues 


1-3. 5.1 


1-3. 5. 2 


1-3. 5. 3 


1-3. 5.4 


1-3. j. 5 


T-3.5.6 


1-3. 5. 7 


I-?. 5.8 


1-3. 5.9 


Exposure of the shuttle crew or 
passengers to a toxic environment 
released from a vessel in the payload 
containing a toxic fluid. (1.2.001) 

A fire in the cargo bay resulting from 
release and ignition of a flammable 
fluid in an unpressurized payload. 
( 1 . 2 . 002 ) 

A fire in a pressurized payload in the 
cargo bay resulting from release and 
ignition of a flammable fluid. (1.2.003) 

A corrosive environment in the shuttle 
cargo bay resulting from leakage or 
rupture of a payload vessel containing 
a corrosive fluid. (1.2.004) 

An explosion in the shuttle cargo bay 
of a potentially explosive payload 
vessel. (1.2.005) 

Spillage or leakage of hazardous fluid 
or material during manual transfer in 
pressurized modules. (1.3.001) 

Spillage or leakage of hazardous fluids 
or materials during mechanically 
assisted or remote transfer in presc- 
urized modules. (1.^.002) 

Spillage or leakage of hazardous fluid 
or material during remote transfer in 
unpressurized area. (1.3.003) 

A radioactive environment In a ..ortie 
module or space station, resulting 
from exposure or escape of radioactive 
material during transfer and handling 
of radioactive materials. (1.3.005) 
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1-4.0 INTERFACE SAFETY REQUIREMENTS AND GUIDELINES 


This section contains interface safety requirements and guidelines 
required by the sortie payloads to be applied in interfacing vehicles. 
These interface requirements and guidelines were developed from analyses 
of specific safety issues, and are grouped in this section by interfacing 
vehicle, as follows: 


1-4.1 Earth Orbital Shuttle 
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1-4.1 EARTH ORBITAL SHUTTLE 
Hazardous Payloads 

1~4.1.1 Capability shall be provided for visual inspection of an orbiter 
payload before initiating retrieval and loading into the orbiter 
cargo bay. (RP-1. 1.015) 

1-4.1. 2 Positive indication shall be provided to the orbiter crew that a 

retrieved payload has been properly secured in the cargo bay before 
closing the cargo bay doors. (RP-1. 1.015) 

1-4. 1.3 Capability shall be provided to isolate orbiter environmental 

control system from payload to prevent toxic fumes from entering 
the orbiter. (RR-1. 2.003) 

1-4. 1.4 Access for visual inspection by intravehicular activity or remotely 
by instrumentation shall be provided to all primary structure in- 
side the cargo bay or equipment in the cargo bay required for return 
to earth. (GR-1.2.004) 


On-Board Survivability 

1-4, 1.5 The orbiter crew shall not enter manned sortie modules during 
the conduct of hazardous experiments. (RR-3. 1.002) 

1-4.1. 6 Pressure suits and attendant life support shall be provided for 
all orbiter/sortie module passengers on missions where the con- 
figuration does not provide two separate pressurizable compart- 
ments capable of returning all passengers to earth. (RR-3, 1.004) 
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1-5.0 RATIONALE FOR REQUIREMENTS AND GUIDELINES 


This section discusses the rationale for some of the requirements and 
guidelines. This discussion is confined to cases in which the rationale may 
not be obvious, or where some clarifying explanation are in order. The 
discussion in general follows the order of the requirements and guidelines, 
and reference is made in parentheses, where appropriate, to specific require 
ments and guidelines. 

1-5.1 Wherever a fluid can create an immediate hazard if released 
from its container into a press ized environment, double 
containment is recommended. This implies a double failure 
to result in a hazardous release of the fluid. In order to 
ensure that this redundancy is available, the volume between 
the double containers must be monitored for leakage. Venting 
capability is necessary to allow the outside container to be 
of reasonably light-weight construction. (1-3. 1.1) 

1-5.2 Thermal insulation for protection against radiation from a 

fire and to reduce heat conduction into structure and equip- 
ment would considerably reduce the hazard from a fire in the 
cargo bay. This is not generally considered feasible, how- 
ever, because of the weight and volume constraints, and is 
only recommended for essential instrumentation. (1-3. 1.6) 

1*5.3 One of the most effecti/e means for containing a fire in 
zero-g is to eliminate convection currents, thus cutting 
down the flow of fresh oxygen to the fire. Forced air 
circulation should be cut off immediately if a fire is 
detected, and capability to do this automatically should 
be provided in case the payload is unmanned at the time. 

(1-3. 1.8) 

I_ 5 # 4 The state-of-the-art is approaching the capability to design 

pressure tanks so that their failure mode when overpressurized 
does net produce shrapnel. This can be done, for example, by 
using appropriately large factors of safety, or by using 
appropriately l^rge factors of safety, or by using fiberglass 
wound tanks. Shrapnel is potentially catastrophic to the 
orbiter, and use of shrapnel-free tanks would therefore be 
highly desirable. Because there is still doubt about the 
practicability of achieving this, it is called out as a 
guideline rather than a requirenr it. (1-3.1.13) 

1^5 5 Cargo transferred with mechanical assist should not be un- 
restrained at right angles to the direction of motion, since 
this could result in damage by impact. (1-3.1.17) 
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1 - 5.6 If a corrosive fluid leaks in the cargo bay, expansion and 
evaporation may cause some of the fluid to freeze, possibly 
attached to structure or equipment. This may remain frozen 
until re-entry or landing, when the solid may melt and 
increase its corrosive action. Means for applying heat to 
any solidified fluids are therefore required, possibly by 
IVA or EVA personnel, to evaporate and disperse the frozen 
fluids. (1-3. 2.6) 

1-5,7 It should take at least a double failure to result in release 
of hazardous fluids during cargo transfer. Double contain- 
ment is therefore required, with means to verify the integrity 
of both containers so as to ensure the required redundancy. 
(1-3. 2.8) 

I~£.8 The maximum speed at which any piece of hand-carried cargo may 
be propelled, intentionally or by accident, has been estimated 
on human factors consideration to be 3 m/sec (10 ft/sec). 

Cargo should be designed to survive such an impact. An alter- 
native means of specifying this limit could be by defining 
the momentum of the package, thus allowing for an inverse 
variation of velocity with mass. (1.3.2.12) 

1-5,9 Limitations should be placed on the mass and inertias of hand- 
carried cargo. The best available data has been used, but 
these limits should be updated if better human factors data 
become available. (1-3.2.15, 1-3.4.12) 


1-5.10 Toxic fluids art generally toxic when in a gaseous or finely 
divided form. A toxic environment is therefore considered 
detectable, e.g., by a gas analyzer. By contrast, corrosive 
fluids generally act in a liquid form and cannot practically 
be detected. (1-3. 3.2) 

1-5.11 The "buddy” system is recommended when hazardous fluids or 
material is being handled so that one man can come to the 
assistance of the other in the event of an accident or 
problem. Handling of hazardous fluids or materials should 
be a dedicated task, so as not to allow a problem to occur 
because of interference with other tasks. (1-3. 4. 2., 1-3.4. 3) 

1-5.12 A single accident could damage two or more containers. 

Mutually reactive fluids should therefore not be handled 
together. (1-3. 4.4) 

1-5.13 Jamming of cargo in doors, hatches or other restricted areas 
can result in severe loss or damage if not handled with 
method and patience. Procedures for releasing such cargo 
should be developed ahead of time. Certain tools or other 
aids may also be found necessary by developing these pro- 
cedures. (1-3.4.11) 
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1 - 5,14 Relatively few uses of radioactive material are currently 
planned for sortie and solar-array powered space station 
missions. However, Atomic Engergy Commission regulations 
call for strict safety measures to keep control of the 
radioactive material, and to minimize the possibility of 
exposing the general population on earth to excessive 
radiation as a result of an accident. (1-3.2.16, 1-3.2.17) 
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PART II - UPPER STAGE VEHICLES 


II-3.0 SAFETY REQUIREMENTS AND GUIDELINES 


This section contains safety requirements and guidelines developed 
from analyses of specific safety issues. The requirements and guidelines 
are grouped into five sub-sections, corresponding to the five steps of 
the hazard reduction precedence sequence. These five sub-sections are: 


II-3.1 Design Requirements and Guidelines 

II-3.2 Safety Devices 

II-3.3 Warning Devices 
II-3.4 Operational Procedures 
II-3.5 Residual Hazards 
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II-3.1 DESIGN REQUIREMENTS AND GUIDELINES 


II-3.1.1 


II-3.1.2 


II-3.1.3 

II-3.1.4 


II-3.1.5 


II-3.1.6 


II-3.1.7 


II-3.1.8 


II-3.1.9 


II-3.1.10 


II-3.1.11 


II-3.1.12 


Hazardous Payloads 

Upper stage vehicle pressures shall be limited while In or 
near the orbiter such that the factors of safety are at least 
equal to the orbiter tank factors of safety. (GP-1. A , 1.1.001). 

Gaseous content of upper stage vehicle tanks shall be small 
enough so that rapid isentropic expansion into the orbiter 
cargo bay will not result in overpressure. (GR-l.B* 1.1.001). 

Tanks shall be designed so that failure due to overpressure 
will not produce shrapnel. (GR-l.C, 1.1.001) (II-5.1). 

Housings of explosive charges shall be designed to prevent 
damage to equipment required for orbiter abort in the event 
of inadvertent detonation. (RP-1. 1.003) 

Destruct charges shall not be incorporated in upper stage 
vehicles when launched in the orbiter. (RP-1. 1.003) 

Propellant shut-off valves upstream from all start valves 
shall be provided so that inadvertent main valve opening 
would not start engines on upper stage vehicles while in or 
near the orbiter. (RP-1. 1.007) 

The design of the upper stage vehicle control system shall 
only allow supply of electrical energy to the start valves 
of the rocket engines following positive action by the 
orbiter crew during upper stage vehicle count-down in 
orbit. (RP-1. 1.007) 

The factors of safety for the upper stage vehicle and orbiter 
attachment point shall be at least equal to the normal orbiter 
structure factors of safety. (GP-1. 1.008) 

The upper stage vehicle shall be supported in the orbiter so 
that failure of any one structural support member will not 
jeopardize support of the upper stage vehicle during return 
to earth. (RP-1. 1.008) 

The design of the upper stage vehicle control system shall 
only allow supply of electrical energy to the separation 
mechanism following positive action by the orbiter crew 
during upper stage vehicle count-down in orbit. (RP-1. 1.008) 

Attitude control couples in all six rotational modes shall 
be provided on upper stage vehicles. (GP-1. 1.009) (II— 5 .2) 

All attitude control engines and electronics shall be redundant 
on upper stage vehicles. (RP-1. 1.009) 


24 


SD 72-SA-0094-5 


XI— 3 

XI— 3 
II— 3 

II— 3 

II-3 

If-3 

II-3 

II-3 

II-3 








I 



Space Division 

North American Rockwell 


1.13 All venting of the upper stage vehicles while near the orbiter 
shall be non-propuls ive or shall translate the vehicle away 
from the orbiter. (RP-1. 1.009) . 

1.14 No torques shall be imparted to the upper stage vehicle by 
the separation mechanism. (GP-1. 1.009) 

1.15 Redundancy shall be provided in the means for separating the 
upper stage vehicle. No single failure shall result in unpro- 
grammed motion of the upper stage vehicle. (RP-1. 1.010) 

1.16 Orbiter to upper stage vehicle connections shall be designed for 

emergency manual release by orbiter crew member in extravehicular 
activity. (RR-1. 1.010) (II-5.3) 

1.17 For upper stage vehicles with propulsion systems using common 
bulkheads, the design of the propulsion system shall only allow 
pressurization of both tanks to occur simultaneously, so as not 

to exceed the allowable differentia] pressure. (RP-1. 1.011) (II-5.4) 

1.18 A backup means shall be provided for the orbiter crew to vent 
or pressurize upper stage vehicles with a pressure stabilized 
structure. (RP-1. 1.012) 

1.19 The support structure of a pressure stabilized upper stage 
vehicle in the shuttle shall allow shuttle de-orbit, re-entry 
and landing following loss of pressurization in the upper stage 
vehicle while in the orbiter cargo bay in orbit. (GR-1.1.012)(II-5.5) 

1.20 A backup means of dumping propellants and pressurants from a 
retrieved upper stage vehicle shall be available. (RP-1. 1.013) 

1.21 The capability shall be provided on upper stage vehicles for 
remote emergency jettisoning of deployable equipment to allow 
retrieval and stowage in the orbiter cargo bay. (GP-1. 1.015) 
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2 SAFETY DEVICES 

Hazardous Payloads 

2.1 Relief capability shall be provided for the upper s-age /f :le 
tanks which automatically limit, maximum preasuie. Venting 
shall be to soace or to a tank at lower pressure, and aha’ * 

be arranged so that mutually reactive fluids cannot mix ii u 
result in a fire or explosion. (RR-l.L, i. 1.001) 

2.2 Capability shall be provided for the orbite.. crew to vent and 
dump upper stage vehicle pressurized or hazardous fluids to 
3pace within the time constraint’ imposed by an abort situation. 

This capability shall be available with the cargo bay doors 
open or closed. (RP-l.C, 1.1.001) (IT-5.6) 

2.3 Interlocks, iedundancy, grounding and isolation devices shall 
be provided on explosive charges sc that no single detectable 
failure or combination of undetectable failures shall result 
in premature detonation. (RP-1. 1.003) 

2.4 A restraint system shall be provided for the uppei. stage 
vehicles in the orbiter cargo bay which prevents contact of 
the vehicle with orbiter structure or equipment in the event 

of partial or total release of the attachment points. (RP-1. 1.008) . 

1.5 Capability shall be provided for the orbiter crew to selectively 
pressurize or vent each tank of an upper stage vehicle using a 
common bulkhead. This capability shall be available with the 
orbiter cargo bay doors open or closed. (RP-1. 1.011) (11-5.*) 
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II-3.3 WARNING DEVICES 

Hazardous Payloads 

II-3.3.1 Capability shall be provided to detect potential tank failures 
by measurement of fluid pressures, temperatures, tank strains, 
or other means. (RF-1.F» 1*1 .001) 

II-3.3.2 Upper stage vehicle monopropellant temperatures and pressures 
shall be monitored. (RR-1, 1.004) (11-5.7) 

II-3.3.3 For upper stage vehicles with propulsion tanks using common 
bulkheads, differential pressure between the two tanks, 
common bulkhead strain, or other indications of potential 
failure, shall be monitored by the orbiter crew. (RP-1, 1.011) 
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11-3.4 OPERATIONAL PROCEDURES 


II-3.4.1 


II-3.4.2 


II-3.4.3 


II-3.4.4 


II-3.4.5 


II-3.4.6 


II-3.4.7 


II-3.4.8 


II-3.4.9 


II-3.4. 10 


II-3.4.11 


Hazardous Payloads 

Pressurizing gr 3 on upper stage vehicles shall be tumea off 
until immediately prior to release of the vehicle from the 
orbiter. (RP-l.H, 1.1.001) (II-5.8) 

Liquid propellants of retrieved upper stage vehicles shall be 
dumped to space before initiation of the shuttle orbiter deorbit 
maneuver. (RP-l.Q, 1.1.001) 

Upper stage vehicle propellant tank pressures shall be reduced 
to the minimum operating value before retrieval into the orbiter 
cargo bay. (RP-l.R, 1.1.001) 

Crew procedures for monopropellant dump shall be provided in 

case of rapid rise in pressure or temperature. (RR-1. 1.004) (II-5. *7) 

Cleanliness of the monopropellant and all materials in normal 
contact with the fluid shall be controlled so that spontaneous 
decomposition in normal and emergency environments is not 
possible. (RP-1. 1.004) 

Orbiter crew control of upper stage vehicle shall be provided 
until separation from the orbiter precludes possibility of 
recontact. (RP-l.U, 1.1.005) (II-5.9) 

The planned attitudes of the upper stage vehicle during release 
and separation from the orbiter shall be such that the attitude 
control engines at no time accelerate the vehicle towards the 
orbiter. (GR-1. 1.009) 

Upper stage vehicle attitude shall be controlled by command of 
the orbiter crew immediately following release. (RR-1. 1.009) 

Internal attitude control signal of the upper stage vehicle 
shall be monitored for accuracy by the orbiter crew before 
release. (RP-1. 1.009) 

Upper stage vehicle shall be switched from command control to 
internal attitude control after orbiter has been sufficiently 
moved that no attitude change could result in collision. 

(RP-1. 1.009) 

Upper stage vehicle shall be switched from command control by 
the orbiter crew to internal translation control when sufficient 
time is available for the orbiter crew to execute evasive 
maneuvers following any main propulsion or guidance failure. 

(RR-1. 1.009) 
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4.12 The trajectories of the orbiter and the upper stage vehicle 
shall be continually compared following release, and a means 
for shutting down the upper stage vehicle shall be provided 
if a collision appears imminent. (RR-1. 1.009) 

Dumping of propellants and pressurants from a retrieved upper 
stage vehicle shall be accomplished before Initiation of the 
shuttle orbiter deorbit maneuver. (RP-1. 1.013) 

4.14 Dumping of propellants and pressurants from a retrieved upper 

stage vehicle shall be controlled y the orbiter crew. (RP-1, 1.013) 

4.13 An upper stage vehicle in which propellant and pressurants have 
not been dumped shall not be returned into the orbiter cargo 
bay. (RR-1. 1.013) 

4.16 Procedures shall be available for extra-vehicular inspection 

and release or re-attachment of partially released or depress- 
urized upper stage vehicles in orbit. (RR-l.X, 1.1.010) (TI-5.3) 
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II-3.5 RESIDUAL HAZARDS 
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II-3.5.1 


II-3.5.2 


II-3.5.3 


Explosion/rupture of a pressurized 
container in an upper stage vehicle 
inside or near shuttle (1.1.001) 

Combination of mutually reactive 
upper stage vehicle fluids in 
explosion or fire inside or near 
shuttle. (1.1.002) 

Rapid decomposition of monopropell- 
ants located in or leaking from the 
upper stage vehicle while inside or 
near shuttle. (1.1.004) 


Unresolved 

Acceptable Safety SRT 

Risk Issues Requirements 


II-3.5.4 


II-3.5.5 


II-3.5.6 


II-3.5.7 


II-3.5.8 


II-3.5.9 


TI-3.5.10 


Leakage of corrosive fluids from 
upper stage vehicle tanks while 
inside the orbiter. (i. 1.006) 

Inadvertent start of an upper stage 
vehicle rocket engine while inside 
shuttle cargo bay. (1.1.007) 

Inadvertent sepration of any part 
of upper stage vehicle while 
attached to the shuttle. (1.1.008) 

Loss of attitude/ translation control 
of upper stage vehicle upon release 
from shuttle. (1.1.009) 

Rupture of common bulkhead tanks in 
upper stage vehicles while in or 
near shuttle. (1.1.011) 

Loss of pressurization in pressure 
stabilized upper stage vehicle. 
( 1 . 1 . 012 ) 

Inability to close cargo bay doors 
afte.r retrieval of upper stage 
vehicle because of interierence 
with upper stage vehicle. (1.1.015) 
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II- A. 0 INTERFACE SAFETY REQUIREMENTS AND GUIDELINES 


This section contains interface safety requirements and guidelines 
required by upper stage vehicles to be applied on interfacing vehicles. 
These interface requirements and guidelines were developed from analyses 
of specific safety issues, and are grouped in this section by interfacing 
vehicle, as follows: 


II-4.1 Earth Orbital Shuttle 
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II-4.1 EARTH ORBITAL SHUTTLE 


II-4.1.1 


II-4.1.2 


II-4.1.3 


II-4.1.4 


II-4.1.5 


II-4.1.6 


II-4.1.7 


Hazardous Payloads 

Vented gases from the shuttle cargo bay shall not be allowed 
to flow past the shuttle propellant tanks. (RR-1.0, 1.1.001) 

Orbiter orientation shall point the longitudinal axis toward 
the separated upper stage vehicle until a safe separation 
distance has been achieved. (RR-1. 1.005) (II— 5 .9) 

The upper stage vehicle shall be extended and released outside 
of the cargo bay such that upper stage vehicle rotation about 
any one attachment point or about its center of gravity in 
any direction upon release, will not impact any part of the 
orbiter. (RR-l.W, 1.1.009) (II-5.10) 

Capability shall be provided for visual inspection of an 
orbiter payload before initiating retrieval and loading into 
the orbiter cargo bay. (RP-1. 1.015) 

Positive indication shall be provided to the orbiter crew ch .t 
a retrieved payload has been properly secured in the cargo bay 
before closing the cargo bay doors. (RP-1. 1.015) 

Procedures shall be available for extravehicular or remote 
inspection, extension, and release or re-positioning of 
improperly stowed upper stage vehicles in orbit. (RR-1. 1.015) 

Special orbiter attitude and translation motions shall be 
planned to assist release of any single residual connection 
with the upper stage vehicle. ( GR -i.i.010) (II-5.3) 
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II-5.0 RATIONALE FOR REQUIREMENTS AND GUIDELINES 


This section discusses the rationale for some of the requirements and 
guidelines. This discussion is confined to cases in which the rationale may 
not be obvious, or where some clarifying explanations are in order. The 
discussion in general follows the order of the requirements and guidelines, 
and reference is made in parentheses, where appropriate, to specific require- 
ments and guid o1 ines. 

II-5.1 The sLate-of-the-art is approaching the capability to design 

pressure tanks so that their failure mode when overpressurized 
does not produce shrapnel. This can be done, for example, by 
using appropriately large factors of safety, or by using fiber- 
glass wound tanks. Shrapnel is potentially catastrophic to the 
orbiter, and use of shrapnel-free tanks would therefore be 
highly desirable. Because there is still doubt about the 
practicability of achieving this, it is called out as a guideline 
rather than a requirement. (II— 3 .1.3) 

U_5.2 Since the upper stage vehicle attitude control system must be 
activated immediately upon release from the orbiter, it is 
essential that the attitude control jets do not apply trans- 
lational accelerations, but only pure couples. (II-3.1.11) 

II-5.3 Hangup of an upper stage vehicle upon release may require only a 
small force or moment to free the vehicle. These forces and 
moments can be applied by programming appropriate orbiter accelera- 
tions, and the potential maneuvers should be defined in advance. 
These maneuvers should stay within structural capabilities and 
should allow clearance of the upper stage vehicle from the 
orbiter in the event of release or no release. EVA action is 
a backup operation to this. (II-3.1.16, II-3.4.16, II-4.1.7) 

II-5.4 While various capabilities are recommended to pressurize and 
vent tanks for upper stage vehicles with common bulkheads, 
the pressure differential between the two tanks must be main- 
tained within the design limits at all times. An automatic 
capability for venting the tanks so as to maintain the allowable 
pressure differential has been considered. Such a device would 
be relatively complex, however, and would introduce very hazardous 
additional failure modes. This capability is therefore recom- 
mended to be under crew control. ( I 1—3 .1.17, II-3.2.5) 

Even if a pressure stabilized upper stage vehicle loses its 
pressurization and collapses, it is still desirable to return 
the vehicle to earth for repair. The support structure :n 
the orbiter bay must therefore be designed for this contingency. 
(II-3.1.19) 
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II-5.6 If an abort decision has been made, safety considerations on 
landing require the capability to dump upper stage vehicle 
propellants before landing, and hence before deorbit, to pre- 
clude dumping propellants during reentry. If, in addition, 
this capability is also lost (perhaps as a result of the abort 
cause), then the orbiter must be capable of deorbiting, re- 
entering and landing with a fully loaded up payload. Such 
a capability is currently provided in the NR orbiter design 
at a slightly reduced landing sink speed and factor of safety. 

A potential single cause which could both require abort and 
prevent dumping of upper stage vehicle propellants is a 
mechanical failure of the upper stage vehicle-to-orbiter 
dump provisions. In some designs this goes through the cargo 
bay doors, and its failure could prevent the doors opening 
(thus leading to abort) and prevent propellant dumping. 

(II-3.2.2) 

II-5.7 Chemical decomposition of unstable chemicals can be detected 
by a rise in temperature and pressure. If this is detected, 
the fluids can be dumped overboard before catastrophic damage 
occurs. (I 1—3. 3.2, II-3.4.4) 

II-5.8 Pressurized propellants have a potential for tank rupture. 

Pressurization should therefore be planned for the latest time 
possible. A tradeoff exists here between exposing the orbiter 
to this hazard for a short time by pressurizing before releasing 
the upper stage vehicle, and eliminating the hazard to the orbiter 
entirely by pressurizing the propellants when the upper stage 
vehicle & some distance away from the orbiter. In the latter 
case the risk is being taken that a malfunction may occur which 
prevents pressurization which may have been correctible before 
release, thus losing the mission. Cn balance, the former risk 
was judged to be preferable. (II-3.4.1) 

II-5.9 Various measures can be taken to prevent damage to the orbiter 
in the event of an upper stage vehicle reaction control engine 
malfunction. The best control of the hazard, however, is to 
provide capability for the orbiter crew to shut down the mal- 
functioning engines. Minimizing the exposed area of the orbiter 
is also considered a requirement. (II-3.4.6, II-4.1.2) 

H~5.10 Following a deployment mechanism malfunction, the upper stage 

vehicle may be free to rotate about the remaining attach points, 
or, if completely unattached, may be rotating about its center 
of gravity. Under such circumstances the upper stage vehicle 
must not contact the orbiter. (II-4.1.3) 
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PART III - SPACE STATION 


III- 3.0 SAFETY REQUIREMENTS AND GUIDELINES 


This section contains safety requirements and guidelines developed 
from analyses of specific safety issues. The requirements and guidelines 
are grouped into five sub-sections, corresponding to the five steps of the 
hazard reduction precedence sequence. These five sub-sections are: 


III-3.1 
III-3.2 
III-3. 3 
III-3.4 
III-3.5 


Design Requirements and Guidelines 
Safety Devices 
Warning Devices 
Operational Procedures 
Residual Hazards 


Space Division 

North American Rockwc 11 


III-3.1 DESIGN REQUIREMENTS AND GUIDELINES 


III-3.1.1 


III-3.1.2 


111*3.1.3 


III-3.1.4 


III-3.1.5 


III-3.1.6 


III-3.1.7 


III-3.1.8 


III-3.1.9 


III-3.1.10 


1 11-3.1.11 


Hazardous Payloads 

Toxic flamnable or corrosive fluid containers shall be located 

in unpressurized volumes of pressurized payloads, or shall be 

double contained with the capability of dumping the fluid to 

space or off-loading to another double container, and of venting 

the space between the two containers to space. (RP-l.Y* 1.2.001) (111-5,1) 

Capability shall be provided to purge or dump to space a toxically 
contaminated or corrosive atmosphere in a pressurized orbiter 
payload. (RR-l.d, 1.2.001) 

Capability to release, eject, or extev d the payload shall be 
provided so as to prevent damage to the orbiter at the expense 
of the payload. (RR-l.hi 1-? 002) 

Capability shall be provided for the orbiter crew to vent and 
dump pressurized, flammable or hazerdcv- . .vload fluids to space 
within the time constraints imposed by a. abort situation. This 
capability shall be available with the cargo bay doors open or 
closed. (RR-l.i, 1.2.002) 

Capability shall be provided to switch off all electrical loads 
to payload from the orbiter. (RP-l.j, 1.2.002) 

Fire and heat resistant protection of orbiter to payload conmand 

and instrumentation interfaces shall be provided. (R?-l.m, 1.2.002) (III-5.2) 

Capability shall be provided to automatically shut off forced 
air circulation in a pressurized orbiter payload upon detection 
of a fire. (RR-1.2.003) (III-5.3) 

Materials used in pressurized payloads shall be subject to the 
same flammabilty control procedures as those used within the 
orbiter pressurized volumes. (RR-1.2.003) 

Access for visual inspection by intravehicuiar activity or 
remotely by instrumentation shall be provided to all primary 
structure of pressurized payloads while in the orbiter cargo 
bay. (GR-1. 2.004) 

The factors of safety of pressure vessels while in or near the 
orbiter shall be at least equal to the orbiter tank factors 
of safety. (GP-1. 2.005) 

Gaseous content of pressurized tanks shall be small enough so that 
rapid isentropic expansion into the orbiter cargo bay will not 
result in overpressure. (RR-1. 2.005) 
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III-3.1.12 


HI-3. 1.13 


III-3.1.14 


III-3.1.15 


I II-3.1.16 


III-3.1.17 


III-3.1.18 


III-3.1.19 


I1I-3.1. 20 


III-3.1.21 


1II-3.1.22 


III-3.1.23 


III-3.1.24 


Tanks shall be designed 30 that failure due to overpressure will 
not produce shrapnel. (GR-l.C* 1.1.001) (m- 5 . 4 ) 

Pressurized tanks shall be located or protected by shrapnel proof 
barriers so that explosion of one will not propagate to others. 

(RR-1. 2.005) 

Pressurized tanks shall be located or provided with shrapnel proof 
barriers so that orbiter crew and passenger compartments and 
equipment required for orbiter return to earth will be protected 
in the event of a tank explosion. (RR-1. 2.005) 

Plumbing connections for hazardous fluid transfer in pressurized 
areas shall be double contained with the capability of venting 
the space between the two containers to space. (RR-1, 3. 002) 

Cargo beyond the .limits allowed for hand transfer shall be 
transferred on guide rails or other mechanisms which positively 
constrain the angular and linear motion of the cargo except in 
the direction of motion. (RP-1. 3.002) (HI-5, 5) 

Cargo handling mechanisms shall allow for stoppage of the motion, 
reversal of the motion, or release of the cargo at any point 
along the transfer path. (RP-l.dd , 1.3.002) 

Cargo handling mechanisms shall be designed to withstand the 
propulsive forces that would result from a leaking or ruptured 
fluid cargo. (RR-l.hh , 1.3.002) 

Separate lines shall be used for the transfer of fuel and 
oxidizer. (RR-1. 3. 003) 

Cargo shall be packaged during transfer so as to have no 
exposed sharp edges or comers. (RR-1. 3.004) 

Crew controlled cargo transfer velocity shall be limited so that 
the cargo can at all times be stopped v:ithin the visible 
range. (RP-1. 3.004) 

Cargo beyond the limits allowed for hand transfer shall be 
transferred on guide rails or other mechanisms which positively 
constrain the angular and linear motion of the cargo except in 
the direction of motion. (RP-1. 3. 004) 

Capability shall be provided to rapidly evacuate personnel from 
and seal off radioactively contaminated modules until they can 
be returned to earth. (RR-1. 3.005) 

• 

Means shall be available for decontaminating equipment and personnel 
exposed to radioactive material and for storing and returning to 
earth radioactively contaminated clothing and other material. 

(RR-1. 3.005) 
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I1I-3.1.25 

III-3.1.26 
III-3. 1.27 
HI-3. 1.28 
III-3. 1.29 
IH-3.1.30 
HI-3.1.31 
III-3.1.32 

III-3.1.33 

III-3.1.34 

III-3 .1.35 

III-3. 1.36 
III-3.1.37 
III-3.1.38 


Pocking 

The reflectance or surfaces on docking vehicles and the docking 
system that are visible to the controlling crew and T.V. cameras 
shall be below eye and vldicon damage levels. (RP-2. 1.001) 

The vldicon tubes for docking shall be designed for low sensitivity 
to tube image burn. (GP-2. 1.001) 

Redundant or replaceable lighting provisions shall be provided for 
docking. (RP-2. 1.001) 

Redundant or replaceable vldicon tubes shall be provided for docking. 
(RR-2. 1.001) 

Redundant or replaceable video monitors shall be provided. 

(RR-2. 1.001) 

The reaction jet control system shall provide redundancy to preclude 
"jet stuck on" and jet stuck off" conditions. (RP-2 .A, 2.1.002) 

Docking system rapid emergency release capability shall be provided. 
(RR-2. 1.003) 

The docking system shall be designed to withstand normal jackknifing 
vehicle dynamics and will limit attitude excursions to within pre- 
scribed limits as determined by vehicle geometry to prevent inad- 
vertent vehicle contact. (RR-2. 1.003) 

The docking system shall be capable of withstanding vehicle oscilla- 
tion and loads generated by inadvertent attitude control system 
activity of either or both vehicles during draw down to rigldize 
the capture interface. (RR-2. 1.004) 

Thermal protection shall be provided to prevent jet plume impinge- 
ment damage from docking vehicles within the design angular and 
linear misalignments. (RR-2. 1.004) 

Capability shall be provided to recycle both capture and seal 
latches on the docking system from any phase of their status. 

(RR-2. 1.005) 

Docking port environmental covers shall be deployed and not 
jettisoned. (RP-2. 1,005) 

All hardware in the docking tunnel will be flush mounted to interior 
walls of the cargo/crew transfer tunnel. (RP-2. 1.007) 

Stops shall be provided on hatches to prevent uncontrolled opening 
if opened when a pressure differential exists. (RP-2 .1.010) 


38 


SD 72-SA-0094-5 




III-3. 

III-3. 

III-3 . 


III-3. 
III-3. 
II 1-3. 

III-3. 

IH-3. 

III-3. 





?pnce Division 

North Amor k.i in RorkwHI 


1.39 All docking interface equipment 9 hall be grounded. (RR-2. 1.011) 

1.40 Electrical umbilicals shall be grounded until connection of the 
docking interface. (RR-2. 1.011) 

1.41 Thermal blanket temperature control of hydraulic components shall 
provide proper operating temperature. (RP-2.2.002) 


On-board Survivability 

1.42 Normally habitable compartments of more than 25 m^ (880 ft 3 ) in 
volume shall have two or more exits into areas which provide for 
personnel survival. These exits shall be at least 3 m (10 ft) 
apart. (RR-3.C, 3.1.001) 

1.43 Flammable, explosive or gas generating material shall be located 
so that the energy content which can be propagated at any one 
location shall not result in overpressurization of the compartment 
from heat and gas production. (RR-3.D, 3.1.001) 

1.44 Flammable, explosive or gas generating material within 3 m (10 ft) 
of the entrance to compartments with only one entry /egress path 
shall be limited so that tht energy content, if released, will 
not result in damage or an environment which prevents shirtsleeve 
access through the entrance. (RR-3.E, 3.1.001) 

1.45 Capability shall be provided for the emergency shirtsleeve survival 
of all on-board personnel until the next resupply or emergency 
shuttle flight following the loss of access to any one module/ 
compartment and the loss of equipment and supplies in that module/ 
compartment. A shirtsleeve accessible docking port shall be avail- 
able. If the loss of the module /compartment divides the station 
into two or more isolated habitable section, then each section 
shall provide the survival capability for all on-board personnel, 
Including an available docking port. (RR-3.F > 3.1.002) 

1.46 A backup EVA egress /ingress hatch which can be used for contingency 
EVA shall be available. Capability for depressurization and repress- 
urization of the connecting compartment/module shall be provided 
(RR-3.J , 3.1.008) 

1.47 Two or more entrances into normally habitable compartments 
of more than 25 m3 (880 ft 3) in volume shall be shirtsleeve 
accessible from each of the other normally Inhabited compart- 
ments. These entrances shall be at least 3 m (10 ft) apart. 

(RR-3. 1.002) 
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1.48 Where only one shirtsleeve Ingress /egress path is provided into a 
compartment or module, redundant means shall be available for 
opening the connecting hatch(es) from either side. (RR-3. 1.005) 

1.49 Manned sortie nodules and space station modules shall be designed 
so that they can be undocked, retrieved into the orbiter, cargo 
bay and returned to earth unpressurized. (GR-3. 1.007) 

1.50 Capability shall be provided to depressurize docked modules before 
undocking. (RR-3. 1.007) 

1.51 An emergency IVA or EVA return route shall be available for any 
planned IVA activity Independent of the normal IVA airlock route. 
Depressurization and repressurization capability shall be provided 
for the additional compartment(s) or module(s) which must be used. 
(RR-3. 1.011) 
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SAFETY DEVICES 


Hazardous Payloads 

2.1 Toxic flammable or corrosive fluid containers shall be located 
in unpressurized volumes of pressurized payloads, or shall be 
double contained with the capability of dumping the fluid to 
space or off-loading to another double container, and of venting 
the space between the two containers to space. (RP-l.Y, 1.2.001) 

2.2 Emergency capability shall be provided to sustain personnel when 
in a manned payload, following detection of a toxic environment 
in the payload, until escape into the orbiter can be effected. 
(RR-l.b, 1.2.001) 

2.3 Special protective garments and equipment shall be provided for 
personnel working in a toxic environment or near potentially 
toxic payload elements. (RP-l.c, 1.2.001) 

2.4 Manually and remotely controlled means shall be provided in 
pressurized orbiter payloads for controlling and extinguishing 
fires. (RR-1. 2.003) 

2.5 Emergency life support shall be provided for all personnel in 
manned orbiter payloads sufficient to allow them time to control 
a fire and/or escape to the orbiter. (RR-1. 2 . < 3) 

2.6 Capability shall be provided to relieve atmospheric pressure from 
an orbiter payload so as to prevent pressurization beyond the 
payload structural limits. This capability shall be automatic 
when the payload is not manned, and under control of the occupants 
when manned. The maximum dump rate shall not exceed the venting 
capability of the orbiter cargo bay with the cargo bay doors 
closed. (RR-1. 2.003) 

2.7 Means shall be provided for the local application of radiant or 
other type of heat remotely or by personnel in 1VA or EVA activity 
to evaporate accumulations of frozen fluids from critical areas. 
(RR-1. 2.004) (III-5.6) 

2.8 Relief capability shall be provided for pressurized tanks which 
automatically limit maximum pressure. Venting shall be to space 
or to a tank at lower pressure, and shall be arranged so that 
mutually reactive fluids cannot mix and result in a fire or 
explosion. (RP-1.2 C 005) 

2.9 Hazardous fluids or materials shall be double contained during 
handling and transfer in pressurized areas. Capability shall be 
provided to verify the integrity of both containers before and 
after transfer. (RP-l.o, 1.3.001) (III— 5. 7) 
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111-3.2,10 


III-3.2.11 


III-3.2.12 


III-3.2.13 


III-3.2.14 


III- 3. 2. 15 


III-3.2.16 


III-3.2.17 

III-3 .2. 18 
111-3,2.19 
III-3.2.20 

III-3.2.21 

III-3.2.22 


Capability shall be provided to vent the space between double 

containers tor hazardous fluid handling to space and for dumping 

the fluid to space or off-loading to another container. (RP-l.p, 1.3.001) 

Packaging of hand-carried car e o shall be provided with multiple 
hand holds, shall allow forward visibility by the controlling 
personnel, and shall be capable of surviving impact against a 
sharp object at 3 m/sec (10 ft/set). (RP-l.aa, 1.3.001) (III-5.8) 

Provisions shall be made for rapidly securing hand-carried cargo 
to various structural points along the transfer path so as to 
prevent loss of control of the cargo in the event of an emergency. 
(RP-l.bb t 1.3.001) 

Coirosive fluids or materials shall be double contained during 
handling and transfer in unpressurized areas. Capability shall 
be provided to verify the integrity of both containers before 
and after transfer. (RP-1. 3.003) 

Cargo of more than 45 kg (100 lb) mass, or Hazardous cargo shall 
be tethered at all times during handling and transfer in pressurized 
areas either to the spacecraft structure or to the transfer mech- 
anism so as to limit the possible travel of the cargo following 
a failure of the primary cargo attach mechanism. (RR-1. 3.004) (jh-5.9) 

Automatic and/or crew controlled emergency means shall be provided 
for shut : .. off \ iwer and arresting the motion of cargo transfer 
mechanism.? . (RR-1. 3. 004) 

Spare shielded containers shall be available in which radioactive 
materials can be temporarily stored in the event of an accident. 

(RR-1. 3.005) (111-5.14; 

Means shall be provided for locating radioac.ive mat. ial which 
has been inadvertently released in a module. (RR-1 3.005) (m-5.14) 

Docking 

Window, vidicon, ard EVA visor filters shail be provided to protect 
eyes and camera from docking laser light damage. (RP-2. 1.001) 

Inhibit capability shall be provided to conLrol the "jet stuck on" 
condition. (RR-2.C , 2.1.002) 

Either manual and/or redundant automatic attitude hold inhibit func- 
tions shall be provided to the applicable docking vehicle on indica- 
tion of capture. (RP-2.1.G04) 

Control system inhibit switches shall be protected from inadvertent 
activation or deactivatior . (RP-2, 1.004) 

Docking latching systems recycle switches shall be protected from 
inadvertent activation. (RP-2. 1.005) 
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2.22 Docking latching systems recycle switches shall be protected from 
inadvertent activation. RP -2. 1.005) 

2.23 Stowage or tie down shall be provided for crew and critical equipment 
during docking. (GP-2, 1.008) 

2.24 Means shall be provided to equalize pressures on both sides of a 
hatch before opening it. (RP-2. 1.010) 

2.25 Circuit breaker protection of all interface instrumentation shall be 
provided. (RR-2. 1.011) 


On-board Survivability 

.2.26 Capability shall be provided to reduce the pressure in each compart- 
ment sufficiently, or increase it in the adjoining compartment(s) 
and to cut off air circulation, so that in an emergency the atmos- 
phere in the affecte ’ compartment will not be propagated into 
adjoining compartments. This capability shall be controlled 
remotely from each compartment. (RR-S.A^ 3.1.001) 

.2.27 Automatic venting capability shall be provided in each compartment 
so that in the event of a fire or release of gases within the com- 
partment the pressure will not exceed the structural limits of the 
structure or the capability of seals to other compartments to exclude 
the contaminated atmosphere. (RR-3.B, 3.1.001) 

.2.28 Emergency portable life support systems shall be available In the 
airlock sufficient to sustain IVA personnel in an emergency IVA 
or EVA return from a planned IVA activity. (RR-3. 1.011) 
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III-3.3 WARNING DEVICES 


Hazardous Payloads 

III-3.3.1 Means shall be provided for detecting the presence of spilled 

hazardous fluids or materials while being handled or transferred 
between pressurized modules. (GR-l.t, 1.3.001) 

III-3.3.2 Capability shall be provided to detect potential tank failures by 
measurement of fluid pressures* temperatures, tank strains, or 
other means, (RP-l.F, 1.1.001) 


III-3.3.3 Double contained toxic, flammable or corrosive fluid containers 
shall be provided with means to detect leakage of the toxic, 
flammable or corrosive fluid into the space between the containers, 
and with means to detect penetration of the outside container. 
(RP-l.Z, 1.2.001) 


III-3.3.4 Means shall be provided for detecting a toxic, flammable, or 
oxygen enriched environment in pressurized orbiter payloads 
containing toxic, potentially toxic, flamnable, oxygen enriched 
fluids. (RP-l.a, 1.2. C01) (IH-5.10) 


Docking 

IH-3.3.5 Positive, redundant indication of docking capture latch shall be 
provided the vehicle which is to inhibit its control system. 
(RR-2. 1.004) 


III- 3. 3. 6 Positive indication of docking capture latch status shall be provided 
to assure they are each (1) armed, (2) triggered, (3) engaged, and 
(4) locked. (RR-2. 1.005) 


III- 3. 3. 7 Positive, redundant indication of docking port seal latch status shall 
be provided to assure they are each (1) armed, (2) triggered, (3) en- 
gaged, and (4) locked prior to opening transfer tunnel. (RR-2. 1.005) 


III- 3. 3. 8 Annunciator warning to all personnel shall be provided prior to 
manned docking maneuvers. (RP-2. 1.008) 

III- 3. 3. 9 Means shall be provided to verify the integrity of a docking hatch 
seal before separating a docked module or vehicle. (RP -2.1. CIO) 





III-3.3.10 Positive redundant indication of the pneumatic attenuation system 
status of the extendable docking system shall be provided. 

(RR-2. 3. 003) 
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III-3.4 


III-3.4.1 


III-3. 4.2 


III-3. 4. 3 


III-3. 4. 4 


III-3. 4. 5 


III-3. 4. 6 
III-3.4.7 


III-3. 4. 8 


III-3. 4. 9 


III-3. 4. 10 


OPERATIONAL PROCEDURES 
Hazardous Payloads 

Hand carried cargo shall be limited to 45 kg (100 lb) mass, provided 
the center of mass is within 35 cms (14 ins.) of the handhold. Cargo 
which exceeds these limits shall be transported with mechanical 
assist. (RP-l.y , 1.3.001) (III-5. 9) 

Cargo in which a rupture or leakage through the containers would 
result in uncontrolled motion of the cargo because of propulsive 
forces beyond a single man's capability to control or because 
toxicity requires immediate abandonment and evacuation of the area 
shall not be hand-carried. (GR-l.z» 1.3.001) 

The transfer of cargo with mechanical assist shall either be visually 
monitored by personnel who are free of other duties, or shall be 
provided with sensing devices which automatically stop the motion 
if the cargo interfaces with structure or equipment. (RP-l.ee, 1.3.002) 

Personnel shall not be located during cargo transfer in positions 
which can result in their entrapment if the cargo transfer mechan- 
ism fails. (RR-l.ff. 1.3.002) 

Emergency procedures shall be available for releasing cargo which 
has become jammed in hatches or other restricted areas without 
causing damage to the spacecraft structure or equipment. 

(RR-1. 3.004) (III-5. 11) 

Transfer lines in unpressurized areas shall be purged after the 
transfer of hazardous fluids. (RP-1.3.003) 

Transfer lines in pressurized areas, including double walled lines, 
shall be purged after the transfer of hazardous fluids and before 
breaking plumbing connections. (RP-1. 3.002) 

Emergency procedures shall be available for the release, handling and 
transportation of remotely controlled cargo in the event of failure 
of the handling mechanism, or of damage to the packaging of the cargo. 
(GP-l.gg , 1.3.002) 

Transfer lines for hazardous fluids shall be located outside of 
pressurized vessels or shall be double walled with the capability 
of venting the space between the two containers to space. 

(PR-1.3.002) 

Emergency procedures shall be available for handling, containing, 
and disposing of spilled hazardous fluids or materials so as to 
safeguard the personnel, orbiter and payload, in that order. 

(RR-l.cc, 1.3.001) 
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4.11 Procedures shall be available for handling and transferring hazardous 
fluids or materials in a pressurized area from r singly penetrated 
double container to a storage container without releasing fluid or 
material to the spacecraft atmosphere. (RP-1. 3.001) 

4.12 Manual handling and transfer of hazardous fluids or materials shall 
be carried out by two or more personnel who shall have no other 
duties during this operation. (RP-l.v» 1.3.001) (III-5.12) 

4.13 Mutually reactive fluids shall not be handled or transferred simul- 
taneously. (RR-l.w, 1.3.001) (III-5.13) 

4.14 The pressures, temperatures, or other parameters which indicate the 
status of hazardous fluids or materials shall be verified before 
they are transported. (RP-l.x, 1.3.001) 


Docking 

4.15 The pressures on each side of a hatch shall be verified before 

opening the hatch. (PP-2. 1.010) 

4.16 Personnel will only be transferred between the orbitei euui Lhe 
station through a rigidly connected docking interface between the 
two vehicles. (RR-2.4.003) 


On-board Survivability 

4.17 Personnel shall not be allowed in a sortie or space station module 

during repositioning of the module from one docking port to another. 
(RR-3. 1.006) 
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III-3.5 RESIDUAL HAZARDS 





Unresolved 

SRT 



Acceptable 

Safety 

Require 



Risk 

Issues 

ments 

III-3.5.1 

Exposure of the shuttle crew or 
passengers to a toxic environment 
released from a vessel in the payload 
containing a toxic fluid. (1.2.001) 

X 



III-3.5.2 

A fire in the cargo bay resulting from 
release and ignition of a flammable 
fluid in an unpressurized payload. 
(1.2.002) 



X 

III-3.5. 3 

A fire in a pressurized payload in the 
cargo bay resulting from release and 
ignition of a flammable fluid. (1.2.003) 



X 

III-3.5.4 

A corrosive environment in the shuttle 
cargo bay resulting from leakage or 
rupture of a payload vessel containing 
a corrosive fluid. (1.2.004) 



X 

III-3.5.5 

An explosion in the shuttle cargo bay 
of a potentially explosive payload 
vessel. (1.2.005) 


X 

i 

i 


III-3.5.6 

Spillage or leakage of hazardous fluid 
or material during manual transfer in 
pressurized modules. (1.3.001) 



X 

III-3.5. 7 

Spillage or leakage of hazardous fluids 
or materials during mechanically 
assisted or remote transfer in 
pressurized modules. (1.3.002) 



X 

III-3.5.8 

Spillage or leakage or hazardous fluid 
or material during remote transfer in 
unpressurized area (1.3.003) 

X 



III-3.5.9 

A radioactive environment in a sortie 
module or space station, resulting 
from exposure or escape of radioactive 
material during transfer and handling 
of radioactive materials. (1.3.005) 

X 
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Unresolved 

SRT 



Acceptable 

Safety 

Require- 



Risk 

Issues 

ments 

III-3.5.10 

Loss of vehicle control prior to 
docking contact. 



X 

III-3. 5. 11 

Loss of vehicle control after 
initial contact. 



X 

III-3.5.12 

Loss of docking system function 
or control. 

X 



III-3.5. 13 

Failure of orbiter payload module 
deployment mechanism. 

X 



III-3.5. 14 

Loss of vehicle control in close 
proximity to other vehicle. 



X 

III-3.5. 15 

Loss of vehicle control prior to 
docking contact by extendable 
tunnel. 



X 

1 

III-3.5.16 

Loss of vehicle control after 
capture by extendable tunnel 
docking system. 



X 

111-3,5.17 

Loss of vehicle control prior to 
capture by manipulator. 



X 

III-3.5.18 

Loss of vehicle control after 
capture by manipulator. 

1 


X 

III-3.5.19 

Loss of manipulator joint motor 
control. 



X 

III-3.5. 20 

Loss of Communications/Command 
capability during decking by 
unmanned free flying module. 

X 



III-3.5.21 

Loss of propulsion or control 
capability during docking by 
manned rree flying module. 


X 

* 


III-3.5.22 

Loss of life support capability 
during docking by manned free 
flying module. 

X 
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III-4.0 INTERFACE SAFETY REQUIREMENTS AND GUIDELINES 


This section contains interface safety requirements and guidelines 
required by the space station to be applied on interfacing vehicles. These 
interface requirements and guidelines were dew-loped from analyses of 
specific safety issues, and are grouped in this section by interfacing 
vehicle, as follows: 


III-4.1 Earth Orbital Shuttle 
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EARTH ORBITAL SHUTTLE 
Hazardous Payloa ds 

.1 Access for visual inspection by intravehicular activity or 

remotely by Instrumentation shall be provided to all primary 
structure inside the cargo bay or equipment in the cargo bay 
required for return to earth. (GR-1.2.004) 

.2 Capability shall be provided to isolate orbiter environmental 

control system from payload to prevent toxic fumes from entering 
the orbiter. (RR-1, 2.003) 


Docking 

.1.3 Maneuvering procedures during docking shall preclude directing sun- 
light into controlling crew's eyes or into the vidicon tubes of the 
visual system. (RP-2. 1.001) 

,1.4 Thermal protection shall be provided to prevent jet plume impinge- 
ment damage from docking vehicles within the design angular and 
linear misalignments. (RR-2. 1.004) 

.1.5 Two or more manipulators shall be provided in a manipulator docking 
system. Each manipulator shall be capable of performing docking by 
itself, and shall also be capable of continuing any docking function 
in the event of a failure of the other manipulator at any stage of 
the docking. (RR-2. 4. 003) 
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III-5.0 RATIONALE FOR REQUIREMENTS AND GUIDELINES 


This section discusses the rationale for some of the requirements and 
guidelines. This discussion is confined to cases in which the rationale may 
not be obvious, or where some clarifying explanations are in order. The 
discussion in general follows the order of the requirements and guidelines, 
and reference is made in parentheses, where appropriate, to specific require- 
ments and guidelines. 


111-5,1 Wherever a fluid can create an immediate hazard if released from 
its container into a pressurized environment, double containment 
is recommended. This implies a double failure to result in a 
hazardous release of the fluid. In order to ensure that this 
redundancy is available, the volume between che double containers 
must be monitored for leakage. Venting capability is necessary 
to allow the outside container to be of reasonably light-weight 
construction. (3.1.1) 


III-5.2 Thermal insulation for portection against radiation from a fire 
and to reduce heat conduction into structure an ' equipment would 
considerably reduce the hazard from a fire in tae cargo bay. 

This is not generally considered feasible, however, because of 
the weight and volume constraints, and is only recommended for 
essential instrumentation. (3.1.6) 

III-5.3 One of the most effective means fcr cont./ning a fire in zero-g 
is to eliminate convection currents, thus cutting down the flow 
of fresh oxygen to the fire. Forced air circulation should be 
cut off immediately if a fire is detect'. d, and capability to do 
this automaticaly should be provided in case the payload is 
unmanned at the time. (3.1.7) 


III-5.4 The state-of-the-art is approaching the capability to design 

pressure tanks so that their failure mode when overpressurized 
does not produce shrapnel. This can be done, for example, by 
using appropriately large factors of safety, or by using fiber- 
glass wound tanks. Shrapnel is potentially catastrophic to the 
orbiter, and use of shrapnel-free tanks would therefore be highly 
desirable. Because there is still doubt about the practicability 
of achieving this, it is called out as a guideline rather than a 
requirement. (3.1.12) 

5 Cargo transferred with mechanical assist should not be unrestrained 
at right angles to the driection of motion, since this could result 
in damage by impact. (3.1.16) 
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III-5.6 If a corrosive fluid leaks in the cargo bay, expansion and evapora- 
tion may cause some of the fluid to freeze, possibly attached to 
structure or equipment. This may remain frozen until re-entry 
or landing, when the solid may melt and increase its corrosive 
action. Means for applying heat to any solidified fluuids are 
therefore required, possibly by IVA or EVA personnel, to evaporate 
and disperse the frozen fluids. (3.2.7) 

III-5.7 It should take at least a double failure to result in release of 
hazardous fluids during cargo transfer. Double containment is 
therefore required, with means to verify the integrity of both 
containers so as to ensure the required redundancy. (3.2.9) 

III-5.8 The maximum speed at which any piece of hand-carried cargo may be 
propelled, intentionally or by accident, has been estimated on 
human factors consideration to be 3 m/sec (10 ft/sec) . Cargo 
should be designed to survive such an impact. An alternative 
means of specifying this limit could be by defining the momentum 
of the package, thus allowing for an inverse variation of velocity 
with mass. (3.2.11) 


III-5.9 Limitations should be placed on the mass and inertias of hand- 

carried cargo. The best available data has been used, but these 
limits should be up-dated if better human factors data becomes 
available. (3.2.14, 3.4.1) 

III-5. 10 Toxic fluids are generally toxic when in a gaseous or finely 
divided form. A toxic environment is therefore considered 
detectable, e.g., by a gas analyzer. By contrast, corrosive 
fluids generally act in a liquid form and cannot practically 
be detected. (3.3.4) 


III_52l Jamming of cargo in doors, hatches or other restricted areas can 
result in severe loss or damage if not handled with method and 
patiance. Procedures for releasing such cargo should be developed 
ahead of time. Certain tools or other aids may also be found 
necessary by developing th-se procedures. (3.4.5) 

III-5.12 The "buddy" system is recommended when hazardous fluids or material 
is being handled so that one man can come to the assistance of 
the other in the event of an accident or problem. Handling of 
hazardous fluids or materials should be a dedicated task, so as 
not to allow a problem to occur because of interference with 
other tasks. (3.4.12) 

III-5. 13 A single accident could damage two or more containers. Mutually 

reactive fluids should therefore not be handled together. (3.4.13) 
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III-5.14 Relatively few? uses of radioactive material are currently planned 

for sortie and solar-array powered space station missions. However, 
Atomic Energy Commission regulations call for strict safety measures 
to keep control of the radioactive material, and to minimize the 
possibility of exposing the general population on earth to excessive 
radiation as a result of an accident. (3.2.16, 3.2.17) 
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